Best practices after DDoS attack?
July 4, 2014 12:13 PM   Subscribe

There was a distributed denial-of-service (DDoS) attack on my personal website, causing my shared web hosting provider to suspend my account and request that I find another web host. Someone sent me an ominous message on Twitter implying that they were responsible. I have never had anything like this happen before. I have a backup of everything and I can find another web host (with DDoS protection this time), but I am a little perturbed by the experience. Is there anything else I should do? How do I prevent this from happening again?
posted by oulipian to Computers & Internet (2 answers total) 4 users marked this as a favorite
Best answer: If you have control of the DNS for your domain, you can use the free tier of Cloudflare. That should keep most DDoS attacks at bay, I think.
posted by MiG at 12:23 PM on July 4, 2014 [2 favorites]

Best answer: First, I would report this to the FBI. I'd expect them not to do much/anything about it, but they are looking into some more high-profile DDoS attacks, so you never know. There's also the chance that this is someone who doesn't know how to adequately shield himself from discovery, and someone might be able to find him based on his comments to you.

Second, don't respond. Don't capitulate. Don't negotiate. Zero feedback for the perpetrator (real or alleged). Hope he gets bored. If you have to communicate publicly about the DDoS, be as vague as possible.

Third, if you're worried about this happening again, do not disclose or leak your IP address. Use CloudFlare (or another provider, depending on how much you're willing to pay) and route all traffic through that. Keep your IPs, hosts, or hostnames out your error messages. CloudFlare is great, but if the attacker finds your root IP, he can go right around it.

Fourth, depending on the KIND of attack you received, you might be able to figure out what servers he was using. For example, if he was using NTP Amplification, you probably can't find the possessed computers sending the initial attack but you CAN probably find the servers that are being used as the amplifiers and you can contact their owners about securing them properly. (this is probably a waste of time, but it might help some small amount).
posted by toomuchpete at 12:35 PM on July 4, 2014 [3 favorites]

« Older What turns emotional distress into real physical...   |   Food intolerance test from a chiropractor, dubious... Newer »
This thread is closed to new comments.